CLAIMS 

What is claimed is: 
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1 . A method for deploying configuration instructions to security devices in order to 
implement a security policy in a network, the method comprising the computer-implemented 
steps of: 

detecting that implementing a security policy will cause an address translation 

alteration in a packet communicated between a management source and a 
plurality of security devices for implementing the security policy on the 
network; 

identifying, from among the plurality of security devices, one or more sets of security 
devices that have one or more configuration dependencies as a result of the 
address translation alteration if the security policy is implemented; and 

sending one or more configuration instructions from the management source to each 
of the one or more sets of security devices using an order that is determined 
based on the one or more configuration dependencies, resulting in 
implementing the security policy on the network. 
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12. A method as recited in Claim 1 , wherein sending configuration instructions from the 

2 management source to the one or more sets of security devices includes sending 

3 configuration instructions to multiple sets of security devices in parallel, wherein each of the 

4 multiple sets of security devices includes one or more configuration dependencies. 

5 3. A method as recited in Claim 2, wherein: 

6 identifying one or more sets of security devices that would each have one or more 
configuration dependencies as a result of the address translation alteration includes 
identifying a first network path that interconnects the management source and a first 
set of the one or more security devices in series, and a second network path that 
interconnects the management source and a second set of the one or more security 

111 1 1 devices in series; and 

|;j 12 sending configuration instructions to multiple sets of security devices in parallel includes 
» * 13 sending configuration instructions to one or more security devices on the first network 

1 4 path and on the second network path concurrently, and independently of one another, 

1 5 using the order determined by the one or more configuration dependencies. 
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4. A method as recited in Claim 1 , wherein: 

identifying one or more sets of security devices that would each have one or more 

configuration dependencies as a result of the address translation alteration includes 
identifying a first network path that interconnects the management source and a first 
set of the one or more security devices in series, and a second network path that 
interconnects the management source and a second set of the one or more security 
devices in series; 

sending configuration instructions from the management source to each of the one or more 
sets of security devices includes sending configuration instructions to one or more 
security devices on the first network path and on the second network path in parallel; 
and 

sending configuration instructions to one or more security devices on the first network path 
includes sending configuration instructions to at least some of the security devices on 
the first network path sequentially, beginning with a first security device on the first 
network path that is ordered to be a last one of the security devices on the first 
network path to receive communications from the management source. 

5. A method as recited in Claim 1 , wherein: 

detecting that implementing the security policy will cause an address translation alteration 
between a management source and a plurality of security devices includes detecting 
that implementing the security policy will cause a natural address translation between 
the management source and one of the plurality of security devices. 
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6. The method as recited in Claim 1 , wherein: 

detecting that implementing the security policy will cause an address translation alteration 
between a management source and a plurality of security devices includes detecting 
that implementing the security policy will cause a static address translation between 
the management source and one of the plurality of security devices. 

7. A method as recited in Claim 1 , wherein: 

detecting that implementing the security policy will cause an address translation alteration 
between a management source and a plurality of security devices includes detecting 
that implementing the security policy will cause a tunneling translation between the 
management source and one of the plurality of security devices 
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8. A method as recited in Claim 1, wherein: 

detecting that implementing the security policy will cause an address translation alteration 
between a management source and a plurality of security devices includes detecting 
that implementing the security policy will cause a natural address translation; 

identifying one or more sets of security devices that would each have one or more 

configuration dependencies as a result of the address translation alteration includes 
identifying a first network path that interconnects the management source and a first 
set of the one or more security devices in series; and 

sending configuration instructions from the management source to one or more sets of 

security devices includes sending configuration instructions to at least some of the 
security devices on the first network sequentially, beginning with a first security 
device on the first network path that is ordered to be a last one of the security devices 
on the first network path to receive communications from the management source. 
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9. A method as recited in Claim 1 , wherein: 

detecting that implementing the security policy will cause an address translation alteration 
between a management source and a plurality of security devices includes detecting 
that implementing the security policy will cause a static address translation on the first 
network path; and 

identifying one or more sets of security devices that would each have one or more 

configuration dependencies as a result of the address translation alteration includes 
identifying a first network path that interconnects the management source and a first 
set of the one or more security devices in series; 

sending configuration instructions from the management source to one or more sets of 

security devices includes sending configuration instructions to one or more security 
devices on the first network path using the order of either (i) sending configuration 
instructions to each security device of the first network path that is ordered in series 
between the management source and the static address translation before sending 
configuration instructions from the management source to any of the other security 
devices that are ordered in series after the static address translation, or (ii) sending 
configuration instructions to all of the other security devices that are ordered in series 
after the static address translation before sending configuration instructions from the 
management source to each security device that is ordered between the management 
source and the static address translation. 
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1 0. A method as recited in Claim 1 , wherein: 

detecting that implementing the security policy will cause an address translation alteration 
between a management source and a plurality of security devices includes detecting 
that implementing the security policy will cause a tunneling translation on the first 
network path; and 

identifying one or more sets of security devices that would each have one or more 

configuration dependencies as a result of the address translation alteration includes 
identifying a first network path that interconnects the management source and a first 
set of the one or more security devices in series; 

sending configuration instructions from the management source to one or more sets of 

security devices includes sending configuration instructions to one or more security 
devices on the first network path using the order of either (i) sending configuration 
instructions to each security device of the first network path that is ordered in series 
between the management source and the static address translation before sending 
configuration instructions from the management source to any of the other security 
devices that are ordered in series after the static translation, or (ii) sending 
configuration instructions to all of the other security devices that are ordered in series 
after the static translation before sending configuration instructions from the 
management source to each security device that is ordered between the management 
source and the tunneling translation. 
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1 11. A method for deploying configuration instructions to security devices in order to 

2 implement a security policy in a network, the method comprising the computer-implemented 

3 steps of: 

4 detecting that the security policy creates a change of one or more configuration 

5 dependencies as compared with an existing security policy, each configuration 

6 dependency corresponding to at least a first security device having to be 

7 configured before a second security device is configured in order for the first 

8 security device to receive its configuration instructions for implementing the 

9 security policy from a management source; and 
f 10 deploying configuration instructions to one or more security devices to implement the 

1 1 security policy according to an order determined by the one or more 



St 12 configuration dependencies. 



1 12. A method as recited in Claim 1 1 , wherein deploying configuration instructions 

2 includes deploying, for a network path containing at least a first configuration dependency of 

3 the one or more configuration dependencies, configuration instructions to a first security 

4 device of the first configuration dependency before deploying configuration instructions to a 

5 second security device of the first configuration dependency, wherein the first security device 

6 has to be configured before the second security device in order for the first security device to 

7 receive its configuration instructions for implementing the security policy from the 

8 management source. 
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13. A method as recited in Claim 11, farther comprising creating a schedule to implement 
the security policy to account for the change in the one or more configuration dependencies, 
and wherein deploying configuration instructions to one or more security devices includes 
using the schedule to deploy the configuration instructions. 

14. A method as recited in Claim 1 3, wherein deploying configuration instructions 
includes deploying in parallel the configuration instructions to each of the first security 
devices in the one or more configuration dependencies. 

15. A method as recited in Claim 1 1 , wherein detecting that the security policy creates a 
change of one or more configuration dependencies from an existing security policy includes 
detecting the addition, deletion or modification of an address translation in a network path 
between the one or more security devices and the policy manager. 
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1 16. A method as recited in Claim 14, further comprising detecting the addition, deletion 

2 or modification of the address translation selected from an address translation type consisting 

3 of a natural address translation type, a reverse address translation type, and a tunnel 

4 translation. 



5 17. A computer-readable medium for deploying configuration instructions to security 

6 devices in order to implement a security policy in a network, the computer-readable medium 

7 carrying instructions for implementing the steps of: 

8 detecting that implementing a security policy will cause an address translation 

9 alteration in a packet communicated between a management source and a 

1 0 plurality of security devices for implementing the security policy on the 

1 1 network; 

12 identifying, from among the plurality of security devices, one or more sets of security 

13 devices that have one or more configuration dependencies as a result of the 

14 address translation alteration if the security device is implemented; and 

1 5 sending one or more configuration instructions from the management source to each 

16 of the one or more sets of security devices using an order that is determined 

1 7 based on the one or more configuration dependencies, resulting in 

1 8 implementing the security policy on the network. 
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18. A computer-readable medium as recited in Claim 1 7, wherein instructions for sending 
one or more configuration instructions from the management source to each of the one or 
more sets of security devices include instructions for sending configuration instructions to 
multiple sets of security devices in parallel, wherein each of the multiple sets of security 
devices includes one or more configuration dependencies. 

1 9. A computer-readable medium as recited in Claim 1 8, wherein: 

instructions for identifying one or more sets of security devices that would each have one or 
more configuration dependencies as a result of the address translation alteration 
include instructions for identifying a first network path that interconnects the 
management source and a first set of the one or more security devices in series, and a 
second network path that interconnects the management source and a second set of 
the one or more security devices in series; and 

instructions for sending one or more configuration instructions to multiple sets of security 

devices in parallel include instructions for sending configuration instructions to one or 
more security devices on the first network path and on the second network path 
concurrently, and independently of one another. 
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20. A computer-readable medium as recited in Claim 17, wherein: 

instructions for identifying one or more sets of security devices that would each have one or 
more configuration dependencies as a result of the address translation alteration 
include instructions for identifying a first network path that interconnects the 
management source and a first set of the one or more security devices in series, and a 
second network path that interconnects the management source and a second set of 
the one or more security devices in series; 

instructions for sending one or more configuration instructions from the management source 
to each of the one or more sets of security devices 1 include sending configuration 
instructions to one or more security devices on the first network path and on the 
second network path in parallel, including for sending configuration instructions to at 
least some of the security devices on the first network path sequentially, beginning 
with a first security device on the first network path that is ordered to be a last one of 
the security devices on the first network path to receive communications from the 
management source. 

21. A computer-readable medium as recited in Claim 1 7, wherein: 

instructions for detecting that implementing the security policy will cause an address 
translation alteration between a management source and a plurality of security devices 
include instructions for detecting that implementing the security policy will cause a 
natural address translation between the management source and one of the plurality of 
security devices. 
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22. The computer-readable medium as recited in Claim 17, wherein: 
instructions for detecting that implementing the security policy will cause an address 

translation alteration between a management source and a plurality of security devices 
include instructions for detecting that implementing the security policy will cause a 
static address translation between the management source and one of the plurality of 
security devices. 

23. A computer-readable medium as recited in Claim 17, wherein: 
instructions for detecting that implementing the security policy will cause an address 

translation alteration between a management source and a plurality of security devices 
include instructions for detecting that implementing the security policy will cause a 
tunneling translation between the management source and one of the plurality of 
security devices 
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24. A computer-readable medium as recited in Claim 1 7, wherein: 

instructions for detecting that implementing the security policy will cause an address 

translation alteration between a management source and a plurality of security devices 
include instructions for detecting that implementing the security policy will cause a 
natural address translation; 

instructions for identifying one or more sets of security devices that would each have one or 
more configuration dependencies as a result of the address translation alteration 
include instructions for identifying a first network path that interconnects the 
management source and a first set of the one or more security devices in series; and 

instructions for sending one or more configuration instructions from the management source 
to one or more sets of security devices include instructions for sending configuration 
instructions to at least some of the security devices on the first network sequentially, 
beginning with a first security device on the first network path that is ordered to be a 
last one of the security devices on the first network path to receive communications 
from the management source. 
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25. A computer-readable medium as recited in Claim 1 7, wherein: 

instructions for detecting that implementing the security policy will cause an address 

translation alteration between a management source and a plurality of security devices 
include instructions for detecting that implementing the security policy will cause a 
static address translation on the first network path; 

instructions for identifying one or more sets of security devices that would each have one or 
more configuration dependencies as a result of the address translation alteration 
include instructions for identifying a first network path that interconnects the 
management source and a first set of the one or more security devices in series; and 

instructions for sending configuration instructions from the management source to one or 
more sets of security devices include instructions for sending configuration 
instructions to one or more security devices on the first network path using the order 
of either (i) sending configuration instructions to each security device of the first 
network path that is ordered in series between the management source and the static 
address translation before sending configuration instructions from the management 
source to any of the other security devices that are ordered in series after the static 
address translation, or (ii) sending configuration instructions to all of the other 
security devices that are ordered in series after the static address translation before 
sending configuration instructions from the management source to each security 
device that is ordered between the management source and the static address 
translation. 
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26. A computer-readable medium as recited in Claim 1 7, wherein: 

instructions for detecting that implementing the security policy will cause an address 

translation alteration between a management source and a plurality of security devices 
include instructions for detecting that implementing the security policy will cause a 
tunneling translation on the first network path; 

instructions for identifying one or more sets of security devices that would each have one or 
more configuration dependencies as a result of the address translation alteration 
include instructions for identifying a first network path that interconnects the 
management source and a first set of the one or more security devices in series; and 

instructions for configuration instructions from the management source to one or more sets of 
security devices include instructions for sending configuration instructions to one or 
more security devices on the first network path using the order of either (i) sending 
configuration instructions to each security device of the first network path that is 
ordered in series between the management source and the static address translation 
before sending configuration instructions from the management source to any of the 
other security devices that are ordered in series after the static translation, or (ii) 
sending configuration instructions to all of the other security devices that are ordered 
in series after the static translation before sending configuration instructions from the 
management source to each security device that is ordered between the management 
source and the tunneling translation. 
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1 27. A computer system for deploying configuration instructions to security devices in 

2 order to implement a security policy in a network, the computer system comprising: 

3 means for detecting that implementing the security policy will cause an 

4 address translation alteration between a management source and a 

5 plurality of security devices for implementing the security device on 

6 the network; 

7 means for identifying, from the plurality of security devices, one or more sets 

8 of security devices that would each have one or more configuration 

9 dependencies as a result of the address translation alteration; and 

10 means for sending configuration instructions from the management source to 

1 1 each of the one or more sets of security devices in order to implement 

1 2 the security policy. 

1 28. A management device for deploying configuration instructions to a plurality of 

2 security devices in order to implement a security policy on a network, the management 

3 device comprising: 

4 a processor configured to: 

5 detect that implementing the security policy will cause an address translation 

6 alteration between a management source and a plurality of security 

7 devices for implementing the security device on the network; 

8 identify, from the plurality of security devices, one or more sets of security 

9 devices that would each have one or more configuration dependencies 
10 as a result of the address translation alteration; and 
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send configuration instructions from the management source to each of the 
one or more sets of security devices using an order that is determined 
by the one or more configuration dependencies, so as to implement the 
security policy on the network. 
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